|
|
|
Google Checkout currently accepts any SSL certificate whose root certificate is in this list of certificates. (See note at bottom about certificate chains)
On the other hand, if you have an SSL certificate that currently doesn't work with Google Checkout, please add the details below. We'll try our best to include these certificates in our accepted list when appropriate. Please be sure to include a link to a server with the certificate installed so we can take a closer look at the certificate.
*.bizland.com SSL - https://protected.bizland.com
Alpha CA - https://www.iwishicouldget.com/google/m1_google_checkout_callback.php Alpha CA - https://www.it-buy.co.uk/xml_google_order.htm This is sold through 123-reg.co.uk in the UK and they are fairly large..Im now stuck with a three year wildcard SSL cert that wont work with google. Note about certificate chains: In most cases a usable certificate is made up of a CHAIN of certificates. The chain has the certificate authority's Root Certificate on one end, and the Server Certificate (you purchased from that certificate authority) on the other end. Inbetween there are usually one or more intermediate certificates. For a successful connection (API Callback, for example) to be established, the client (i.e. google) has to trust the issuer of the server certificate that is at your web store. This is to prevent John Q Public from issuing themselves certificates in other people's names. Google has configured a list of root certificates that they trust. In actuality, this means that any certificate in a chain that has one of those root certificates at the top is trusted, too. So, if your certificate has one of the listed root certs at the top, you're good.... EXCEPT: If your server certificate was put together incorrectly, it will not be trusted. To make things more annoying, your web-browser may trust your "invalid" certificate, but Google may not. There are three common issues that may be the problem if your certificate works in a browser but not for Google callbacks:
1.) The root-certificate associated with your server certificate is NOT in the list of root certificates that google trusts. 2.) Parts of the certificate chain are missing (i.e. missing intermediate certificates) 3.) The certificate chain is jumbled up (i.e. certificates in the chain are in the wrong order). This seems to be an issue under some versions of Apache
For # 1 there are two solutions: Either talk google into adding your certificate vendor to the trusted list, or buy a cert from someone else. Before going out to buy a new one, go back to your certificate vendor and compare their root-ceritficates with google's list of root certificates
For #2 the solution is to reconfigure your web-server to make sure that all intermediate certificates are available. How to do this exactly depends on the web-server software you are running. If your web-server is java-based (Tomcat, JBoss etc.) you will have to get a third-party utility because the java keytool can't "fix" incomplete certificate chains. To see your certificate chain in java, issue the following command at the DOS prompt: keytool -list -v -keystore filename -storepass password > certinfo.txt This will create a file called certinfo.txt that you can view in notepad. You should see a bunch of information, towards the top it should say: EntryType: PrivateKeyEntry CertificateChainLength: 2 (or 3 or 4...) If the certificate chain length is 1, then you have problem #2: You do not have intermediate or root certs in your certificate chain, so google can not verify that your certificate was issued by a trusted certificate authority. You must use third party utility (send email to jeggers@tetrix.com) to fix your keystore.
For #3 the solution is a reconfiguration of your web-server. Take a look at this thread, also look at this thread, it may be of help
|
|
| Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy |
| ©2010 Google |
|
